Updates the encryption configuration of a Logstore. You can create encryption configurations for the Logstore and enable or disable the encryption feature.
Operation description
Limits
If you specify a data encryption method when you configure data encryption settings, you cannot switch to the other method after the configuration. In addition, you cannot change the encryption algorithm or the encryption type. You can only enable or disable the encryption feature by using the enable parameter. If you specify the encryption method by using the service key of Simple Log Service when you configure data encryption settings, you cannot switch to the encryption method by using Bring Your Own Key (BYOK) keys after the configuration.
Create encryption configurations
Encryption by using service keys
Simple Log Service is fully responsible for data encryption and key management. No additional operations are required. When you create encryption configurations for the Logstore, you must specify the enable and encryptType parameters.
Encryption by using BYOK keys
You must create a customer master key (CMK) in Key Management Service (KMS). Then, Simple Log Service encrypts logs by using the CMK. When you create encryption configurations for the Logstore, you must specify the enable, encryptType, and userCmkInfo parameters.
Enable or disable the encryption feature
After you create encryption configurations for the Logstore, you cannot modify the encryptType or userCmkInfo parameters. However, you can enable and disable the encryption feature by using the enable parameter.
Try it now
Test
RAM authorization
Request syntax
PUT /logstores/{logstore}/encryption HTTP/1.1Path Parameters
|
Parameter |
Type |
Required |
Description |
Example |
| logstore |
string |
Yes |
The Logstore. |
test-logstore |
Request parameters
|
Parameter |
Type |
Required |
Description |
Example |
| project |
string |
Yes |
The Simple Log Service project. |
test-project |
| body |
object |
No |
The request struct. |
|
| enable |
boolean |
Yes |
Specifies whether to enable the encryption feature. After you update the encryption configuration of the Logstore, you can modify only the enable parameter in subsequent update requests. You cannot modify the encryptType or userCmkInfo parameters. |
true |
| encryptType |
string |
No |
The encryption algorithm. Valid values: default, m4, sm4_ecb, sm4_cbc, sm4_gcm, aes_ecb, aes_cbc, aes_cfb, aes_ofb, and aes_gcm. |
default |
| userCmkInfo |
object |
No |
Optional. If you use a BYOK key to encrypt logs, you must specify this parameter. If you use the service key of Simple Log Service to encrypt logs, you do not need to specify this parameter. |
|
| keyId |
string |
No |
The ID of the CMK to which the BYOK key belongs. You can create a CMK in KMS. The CMK must be in the same region as the endpoint of Simple Log Service. |
f5136b95-2420-ab31-xxxxxxxxx |
| roleArn |
string |
No |
The Alibaba Cloud Resource Name (ARN) of the Resource Access Management (RAM) role.The value is in the acs:ram::12344***:role/xxxxx format. To use a BYOK key to encrypt logs, you must create a RAM role and grant the AliyunKMSReadOnlyAccess and AliyunKMSCryptoUserAccess permissions to the RAM role. You must grant the API caller the PassRole permission on the RAM role. |
acs:ram::12344***:role/xxxxx |
| regionId |
string |
No |
The region ID. Example: cn-hangzhou. |
cn-hangzhou |
Response elements
|
Element |
Type |
Description |
Example |
None defined.
Examples
Success response
JSON format
{}Error codes
|
HTTP status code |
Error code |
Error message |
Description |
|---|---|---|---|
| 404 | ProjectNotExist | The Project does not exist: xxxx. | The log entry does not exist. |
| 404 | LogStoreNotExist | logstore xxxx does not exist. | The Logstore does not exist. |
See Error Codes for a complete list.
Release notes
See Release Notes for a complete list.